Hello Brian,

On Friday, December 13, 2002 at 2:46:28 PM you wrote:

>>>>> I know about the per user quota settings. Is there anywhere to do a
>>>>> per domain quota capping? Eg. Cap the quota for the directory of the
>>>>> domain.

>>>> Make use of system quota.
>>>> Create a dedicated user for each domain you want to have an overall
>>>> quota and make use of '-u' option in 'vadddomain'.

>>> When I had tried a similar thing earlier, qmailadmin refused to work
>>> probably due to change of user/group which expects vchkpw:vpopmail

>>> Is there any workaround for this problem, other than using a separate
>>> qmailadmin binary having identical permissions for every such domain
>>> group?

>> A theoretically, absolutely untested possibility could be putting all
>> domains in different system groups, but with user vpopmail and using
>> system-group-quotas, instead of system-user-quotas.

> If you use system quotas (as I do), then install qmailadmin setuid
> root and it all works fine. It will switch to the userid of the
> system account that is specified in the users/assign file.

Make sure the access to /cgi-bin/qmailadmin (or whatever your location
is) is additionally secured by webserver HTACCESS.
Running a cgi suid() to root is a dangerous thing, you _NEVER_ know
what exploits are possible.
The attacker might not be able to log in into qmailadmin, but he
might, for whatever reasons, be able to exploit the CGI and gain
root-access this way, BEFORE qmailadmin switches the identity.

Me personal would install separate qmailadmin-cgis or give the 'same
user, different groups and system group quotas' a try before setting
qmailadmin-cgi to SUID() root.
Best regards
Peter Palmreuther

Reply via email to